This invention relates to signature verification apparatus for performing verification of one or more digital signatures signed on a document.
To facilitate signature verification in the document on which one or more digital signatures are signed, a "sealing" method is known. The sealing method is a method where an authority seals a verification key and user information. In the sealing method, a signer preliminarlly sends his or her verification key and the user information to the authority to get the authority to put an authority's signature on the document. This is called "seal" hereinafter. After the signer puts a signer's signature on the document, the signer attaches the seal to it before sending it as an input document to a document recepient. On receiving the input document, the document recepient at first verifies the authority's signature in the input document to confirm that the authority's signature is justice. If the authority's signature is justice, the document recepient can know that the authority certified the signer's verification key and the user information. As a result, the document recepient can verify the signer's signature by using the signer's verification key.
Such a method is described in detail by Warwick Ford in Chapter 4 of a book published by PTR Prentice Hall, (1994) and titled "Computer Communication Security," on pages 65 to 107. This book illustrates Privacy Enhanced Mail (PEM) as an instance of key management. In this system, a user holds certification information which puts a certification signature of a certification office on its own user verification key and personal information and the user sends a signature document attached with the certification information.
Another method is disclosed in detail U.S. Pat. No. 5,005,200 issued to Fischer. Fisher's U.S. patent enforces limitations and accountability from hierarchy to hierarchy so that the recipient of any message signed with such a (hierarchically derived) certificate can be assured that the authority represented by the signer is strictly accounted. The Fisher's U.S. patent provides a methodology for digitally signing documents in which the signature is generated for both computer verification and for reverification if a document needs to be reconfirmed in the future by reentering it from a paper rendition. To accomplish this end, two hash values are utilized in digital signatures of document-type computer messages. The first hash value which is utilized relates to the exact bit-for-bit data in the file. This will allow for validation of the exact original document as long as it is accessible in computer readable form.
In Fisher's U.S. patent, each terminal is capable of generating a plain text or unenciphered message and performing whatever signature operation may be required, and transmitting the message to any of the other terminals connected to communications channel (or to a communications network which may be connected to a communications channel). Additionally, each terminal is capable of performing signature verification on each message. As is well known in the art with respect to public key cryptosystems, each of the terminal users has a public encrypting key and an associated private secret decrypting key. In the public key cryptosystem, each terminal user is aware of the general method by which the other terminal users encrypt a message. Additionally, each terminal user is aware of the encryption key utilized by the terminal's encryption procedure to generate the enciphered message. Each terminal user, however, by revealing his encryption procedure and encryption key does not reveal his private decryption key which is necessary to decrypt the ciphered message and to create signatures. In this regard, it is computationally unfeasible to compute the decryption key from knowledge of the encryption key.
In the above-mentioned conventional methods, the certification signature of the certification office is invalid when a part of the verification key and the personal information is cut down. As a result, it is necessary to attach all information including unnecessary user information to an objective document. It results in increasing the amount of the information attached to the signature document. In addition, in the above-mentioned conventional methods, each user must manage its own information to get the authority such as the certification office to sign. As a result, this places a heavy burden on the user.
There is in an actual document a case where a procedure so that a drafter signs and thereafter his or her superiors sign is required. Under the circumstances, in the conventional methods, in order to use information indicative of relationships between superiors and subordinates, each user must describe all of such relationships in its own user information. Accordingly, it is difficult to attain consistent information. In addition, each user must update the user information on a change of organization.
Furthermore, in digital signature, a lot of algorithms have been already published. In this event, all offices are not necessarily to use the same algorithms. It is assumed that an office A performs a digital signature and verification by using an algorithm A while another office B performs a digital signature and verification by using another algorithm B. In such a case, it is impossible to verify, in the office B, a document signed in the office A. Although it is possible to unify a signature scheme in the same company, it is impossible in general to unify a signature scheme between companies. As a result, a sending range where the signature is valid is restricted. In addition, a similar problem occurs due to difference in a signature format in spite of the same signature scheme.